Libredesk Webhooks Module Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Libredesk, a self-hosted customer support desk application. This issue affects versions prior to 1.0.2-0.20260215211005-727213631ce6. The vulnerability arises because the application does not properly validate destination URLs for webhooks. As a result, an authenticated 'Application Admin' can manipulate the server into making HTTP requests to arbitrary internal locations. This could potentially compromise the underlying cloud infrastructure or internal corporate network where Libredesk is hosted.

Impact

Exploitation of this vulnerability allows for internal network mapping and unauthorized access to sensitive information from internal services.

Reproduction

The vulnerability can be reproduced by an authenticated 'Application Admin' user who configures a webhook with a URL pointing to an internal service. Once the webhook is triggered, the server will make the HTTP request to the specified internal destination, bypassing network restrictions. This can be verified by monitoring the response in the server logs, which will indicate whether the webhook delivery was successful or failed. Additionally, if the internal service returns an error, the response body will be logged, potentially exposing sensitive data.

Remediation

Users can update to Libredesk version 1.0.2-0.20260215211005-727213631ce6 or later, which includes a fix for this vulnerability. The updated version introduces a configuration option to specify allowed CIDR ranges for webhooks, enabling users to control which internal destinations can be accessed.